Apple Hide My Email Still Leaks Real Addresses After Claimed Fix

Apple's iCloud+ Hide My Email vulnerability still exposes real addresses at 100% success, with multiple claimed fixes from Apple failing to close the flaw.
Table of Contents
    Add a header to begin generating the table of contents

    Security researcher Tyler Murphy and 404 Media independently confirmed that Apple’s iCloud+ “Hide My Email” feature remains fully exploitable despite Apple claiming it had been addressed in a system change in March 2026. Murphy’s testing found that 100% of active Hide My Email relay addresses can be traced back to the real Apple ID email behind them — a complete failure of the privacy feature for all iCloud+ subscribers using it.

    How Apple’s iCloud+ Hide My Email Relay Flaw Exposes Real Addresses

    Hide My Email is a privacy feature available to all iCloud+ subscription tiers, starting at $0.99 per month. It allows users to sign up for websites and services using randomly generated relay addresses — strings like xyz123@privaterelay.appleid.com — that forward messages to the user’s actual inbox. The design intent is to prevent services from learning the user’s real Apple ID address, shielding identity across signups without requiring users to maintain separate email accounts.

    The vulnerability Murphy identified lies in Apple’s relay infrastructure itself. An attacker who obtains a victim’s generated Hide My Email address — which is visible to any service the victim uses it with — can reverse-engineer the victim’s real Apple ID email address through a flaw in how Apple’s relay system handles address mapping. Murphy’s testing found the attack succeeds against every generated address, with no failures, yielding a 100% de-anonymization rate.

    Tyler Murphy’s Disclosure Timeline and Apple’s Repeated Failed Fix Attempts

    Murphy reported the vulnerability to Apple more than 12 months before confirming it remained exploitable. Apple acknowledged the report and in March 2026 notified Murphy that it had been “addressed in a recent system change.” Murphy retested after that claim and found the vulnerability still present and fully functional.

    Subsequent Apple software updates in April and May 2026 each included communications to Murphy promising a fix “in the coming weeks.” Neither update closed the vulnerability. As of the researcher’s confirmation and 404 Media’s independent verification, the flaw has remained unpatched through multiple Apple system updates that Apple’s own communications suggested would resolve it. Apple has issued no public statement about the vulnerability.

    Why iCloud+ Privacy Users Face the Greatest Risk From This Flaw

    The population most exposed to this flaw is the same population that took active steps to protect their email privacy. Hide My Email users specifically chose not to share their real address with services — a deliberate privacy measure. The attack inverts that protection entirely: any service or attacker who received a generated relay address from the user can now determine the real Apple ID address the user was trying to conceal.

    This creates a cascading exposure risk. A user who deployed Hide My Email across dozens of service signups to protect their identity has, in effect, given those services — and anyone who compromises those services — a uniform key to their real identity. Every generated address points back to the same real account. Breach of any service that stored a Hide My Email relay address becomes a de-anonymization vector for the user’s true identity.

    The Scope of Affected Hide My Email Relay Addresses

    Hide My Email is actively used by tens of millions of iCloud+ subscribers globally. The breach surface is not limited to users who signed up for a single service using a relay address — it extends to anyone who used Hide My Email for any signup, across any platform, at any point. The vulnerability does not require the attacker to have compromised Apple’s systems; it requires only possession of a generated relay address, which is visible to the service the address was used with.

    The Gap Between Apple’s Communications and Deployed Fixes

    The disclosure documents a sustained gap between Apple’s internal communications about the fix and the actual deployment of a working remediation. Apple told Murphy in March 2026 that the issue was addressed. It was not. April and May updates carried the same message. They did not close the vulnerability either. That pattern — repeated acknowledgment without resolution — is notable for a vulnerability in a paid privacy feature marketed to subscribers specifically as a protection against the kind of identity exposure it enables.

    Murphy and 404 Media published their confirmation without receiving a new timeline or acknowledgment from Apple for the period following the May 2026 communications. iCloud+ subscribers who have used Hide My Email addresses have no current technical protection against the relay de-anonymization attack, and Apple has provided no guidance on when a working fix will be available.

    Related Posts